rails--rails/actioncable/test/connection/cross_site_forgery_test.rb

# frozen_string_literal: true

require "test_helper"
require "stubs/test_server"

class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
  HOST = "rubyonrails.com"

  class Connection < ActionCable::Connection::Base
    def send_async(method, *args)
      send method, *args
    end
  end

  setup do
    @server = TestServer.new
    @server.config.allowed_request_origins = %w( http://rubyonrails.com )
    @server.config.allow_same_origin_as_host = false
  end

  teardown do
    @server.config.disable_request_forgery_protection = false
    @server.config.allowed_request_origins = []
    @server.config.allow_same_origin_as_host = true
  end

  test "disable forgery protection" do
    @server.config.disable_request_forgery_protection = true
    assert_origin_allowed "http://rubyonrails.com"
    assert_origin_allowed "http://hax.com"
  end

  test "explicitly specified a single allowed origin" do
    @server.config.allowed_request_origins = "http://hax.com"
    assert_origin_not_allowed "http://rubyonrails.com"
    assert_origin_allowed "http://hax.com"
  end

  test "explicitly specified multiple allowed origins" do
    @server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )
    assert_origin_allowed "http://rubyonrails.com"
    assert_origin_allowed "http://www.rubyonrails.com"
    assert_origin_not_allowed "http://hax.com"
  end

  test "explicitly specified a single regexp allowed origin" do
    @server.config.allowed_request_origins = /.*ha.*/
    assert_origin_not_allowed "http://rubyonrails.com"
    assert_origin_allowed "http://hax.com"
  end

  test "explicitly specified multiple regexp allowed origins" do
    @server.config.allowed_request_origins = [/http:\/\/ruby.*/, /.*rai.s.*com/, "string" ]
    assert_origin_allowed "http://rubyonrails.com"
    assert_origin_allowed "http://www.rubyonrails.com"
    assert_origin_not_allowed "http://hax.com"
    assert_origin_not_allowed "http://rails.co.uk"
  end

  test "allow same origin as host" do
    @server.config.allow_same_origin_as_host = true
    assert_origin_allowed "http://#{HOST}"
    assert_origin_not_allowed "http://hax.com"
    assert_origin_not_allowed "http://rails.co.uk"
  end

  private
    def assert_origin_allowed(origin)
      response = connect_with_origin origin
      assert_equal(-1, response[0])
    end

    def assert_origin_not_allowed(origin)
      response = connect_with_origin origin
      assert_equal 404, response[0]
    end

    def connect_with_origin(origin)
      response = nil

      run_in_eventmachine do
        response = Connection.new(@server, env_for_origin(origin)).process
      end

      response
    end

    def env_for_origin(origin)
      Rack::MockRequest.env_for "/test", "HTTP_CONNECTION" => "upgrade", "HTTP_UPGRADE" => "websocket", "SERVER_NAME" => HOST,
        "HTTP_HOST" => HOST, "HTTP_ORIGIN" => origin
    end
end
Use frozen string literal in actioncable/ 2017-07-16 13:10:15 -04:00			`# frozen_string_literal: true`

applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`require "test_helper"`
			`require "stubs/test_server"`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00
Run connection tests in EM loop 2015-10-15 22:11:49 -04:00			`class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase`
applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`HOST = "rubyonrails.com"`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00
Run connection tests in EM loop 2015-10-15 22:11:49 -04:00			`class Connection < ActionCable::Connection::Base`
			`def send_async(method, *args)`
			`send method, *args`
			`end`
			`end`

First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`setup do`
			`@server = TestServer.new`
Treat ORIGIN as an opaque identifier and do equality comparison with the specified whitelist 2015-10-12 19:14:14 -04:00			`@server.config.allowed_request_origins = %w( http://rubyonrails.com )`
Permit same-origin connections by default WebSocket always defers the decision to the server, because it didn't have to deal with legacy compatibility... but the same-origin policy is still a reasonable default. Origin checks do not protect against a directly connecting attacker -- they can lie about their host, but can also lie about their origin. Origin checks protect against a connection from 3rd-party controlled script in a context where a victim browser's cookies will be passed along. And if an attacker has breached that protection, they've already compromised the HTTP session, so treating the WebSocket connection in the same way seems reasonable. In case this logic proves incorrect (or anyone just wants to be more paranoid), we retain a config option to disable it. 2016-10-10 22:21:10 -04:00			`@server.config.allow_same_origin_as_host = false`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`

Treat ORIGIN as an opaque identifier and do equality comparison with the specified whitelist 2015-10-12 19:14:14 -04:00			`teardown do`
			`@server.config.disable_request_forgery_protection = false`
			`@server.config.allowed_request_origins = []`
Permit same-origin connections by default WebSocket always defers the decision to the server, because it didn't have to deal with legacy compatibility... but the same-origin policy is still a reasonable default. Origin checks do not protect against a directly connecting attacker -- they can lie about their host, but can also lie about their origin. Origin checks protect against a connection from 3rd-party controlled script in a context where a victim browser's cookies will be passed along. And if an attacker has breached that protection, they've already compromised the HTTP session, so treating the WebSocket connection in the same way seems reasonable. In case this logic proves incorrect (or anyone just wants to be more paranoid), we retain a config option to disable it. 2016-10-10 22:21:10 -04:00			`@server.config.allow_same_origin_as_host = true`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`

			`test "disable forgery protection" do`
			`@server.config.disable_request_forgery_protection = true`
applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`assert_origin_allowed "http://rubyonrails.com"`
			`assert_origin_allowed "http://hax.com"`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`

			`test "explicitly specified a single allowed origin" do`
applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`@server.config.allowed_request_origins = "http://hax.com"`
			`assert_origin_not_allowed "http://rubyonrails.com"`
			`assert_origin_allowed "http://hax.com"`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`

			`test "explicitly specified multiple allowed origins" do`
Treat ORIGIN as an opaque identifier and do equality comparison with the specified whitelist 2015-10-12 19:14:14 -04:00			`@server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )`
applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`assert_origin_allowed "http://rubyonrails.com"`
			`assert_origin_allowed "http://www.rubyonrails.com"`
			`assert_origin_not_allowed "http://hax.com"`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`

Allow regexp for a allowed_request_origins array 2015-12-05 16:58:31 -05:00			`test "explicitly specified a single regexp allowed origin" do`
			`@server.config.allowed_request_origins = /.ha./`
applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`assert_origin_not_allowed "http://rubyonrails.com"`
			`assert_origin_allowed "http://hax.com"`
Allow regexp for a allowed_request_origins array 2015-12-05 16:58:31 -05:00			`end`

			`test "explicitly specified multiple regexp allowed origins" do`
applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`@server.config.allowed_request_origins = [/http:\/\/ruby./, /.rai.s.*com/, "string" ]`
			`assert_origin_allowed "http://rubyonrails.com"`
			`assert_origin_allowed "http://www.rubyonrails.com"`
			`assert_origin_not_allowed "http://hax.com"`
			`assert_origin_not_allowed "http://rails.co.uk"`
Allow regexp for a allowed_request_origins array 2015-12-05 16:58:31 -05:00			`end`

Optionally allow ActionCable requests from the same host as origin When the `allow_same_origin_as_host` is set to `true`, the request forgery protection permits `HTTP_ORIGIN` values starting with the corresponding `proto://` prefix followed by `HTTP_HOST`. This way it is not required to specify the list of allowed URLs. 2016-09-21 08:55:25 -04:00			`test "allow same origin as host" do`
			`@server.config.allow_same_origin_as_host = true`
			`assert_origin_allowed "http://#{HOST}"`
			`assert_origin_not_allowed "http://hax.com"`
			`assert_origin_not_allowed "http://rails.co.uk"`
			`end`

First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`private`
			`def assert_origin_allowed(origin)`
			`response = connect_with_origin origin`
Remove warnings from actioncable Warnings coming from code and test are removed 2015-12-17 10:23:36 -05:00			`assert_equal(-1, response[0])`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`

			`def assert_origin_not_allowed(origin)`
			`response = connect_with_origin origin`
			`assert_equal 404, response[0]`
			`end`

			`def connect_with_origin(origin)`
Run connection tests in EM loop 2015-10-15 22:11:49 -04:00			`response = nil`

			`run_in_eventmachine do`
			`response = Connection.new(@server, env_for_origin(origin)).process`
			`end`

			`response`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`

			`def env_for_origin(origin)`
applies new string literal convention in actioncable/test The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default. 2016-08-06 13:15:15 -04:00			`Rack::MockRequest.env_for "/test", "HTTP_CONNECTION" => "upgrade", "HTTP_UPGRADE" => "websocket", "SERVER_NAME" => HOST,`
			`"HTTP_HOST" => HOST, "HTTP_ORIGIN" => origin`
First take at cross site forgery protection 2015-10-07 12:24:20 -04:00			`end`
			`end`